I need some design advice. My goal here is that we need a way to expose
the authentication indicators to services in the FreeIPA UI/CLI.
Here is the good news: users can already set these values in FreeIPA
using kadmin. They do this by simply setting the require_auth string on
the target service principal. Our kdb plugin then encodes these with
the rest of the tl_data into the krbExtraData attribute.
I see two approaches here. First, we can try to manipulate the
krbExtraData attribute directly. Second, we can create a separate
attribute for the authentication indicator strings and then synthesize
the tl_data internally in kdb. We would have to do this for both reads
and writes so as not to break existing kdb functionality.
The trade-off that I see is that the first method complicates the
python framework side where the second method complicates the kdb
plugin.
A third option, which I doubt is even possible, is to use kadmin to
manipulate this option rather than modifying LDAP directly.
Thoughts?
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code